Snort mailing list archives
Re: ATTACK RESPONSES id check returned root
From: Chris Green <cmg () sourcefire com>
Date: Tue, 08 Oct 2002 10:34:40 -0400
Dallas Jordan <DJordan () sawgrassink com> writes:
Does anyone know what could possibly set this alert off? I have checked Google and didn't come up with anything specific. I have gotten a couple of these this morning and was just wondering what I should be on the lookout for. Thanks for any suggestions.
bash-2.05# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon) Client Exploit -> Server buffer overflow Server -> Client -> shell Client -> Server # id Server -> Client "you are root" It's either someone admining a machine over telnet,someone mailing about it, or a real root exploit. -- Chris Green <cmg () sourcefire com> Fame may be fleeting but obscurity is forever. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ATTACK RESPONSES id check returned root Dallas Jordan (Oct 08)
- Re: ATTACK RESPONSES id check returned root Chris Green (Oct 08)
- <Possible follow-ups>
- RE: ATTACK RESPONSES id check returned root McCammon, Keith (Oct 08)
- RE: ATTACK RESPONSES id check returned root Metz, Tim (Oct 08)
- RE: ATTACK RESPONSES id check returned root Semerjian, Ohanes (Oct 08)